Operator dossier

coinbasecartel (also tracked as coinbase cartel) is a ransomware operator currently active on public leak sites. Darkfield has indexed 176 public victims claimed by this operator between September 15, 2025 and May 16, 2026. CoinbaseCartel is a ransomware group that emerged in September 2025 with financially motivated operations targeting organizations across multiple sectors and geographic regions. The group has demonstrated significant activity in a short timeframe, compromising at least 102 known victims primarily across the United States, United Arab Emirates, Germany, Canada, and Brazil. Their targeting patterns show a preference for technology companies, financial services organizations, manufacturing entities, and consumer services businesses, suggesting an opportunistic approach focused on organizations likely to have both valuable data and the financial resources to pay ransoms. Given the group's recent emergence and limited public documentation from established threat intelligence sources, details regarding their specific attack methodologies, infrastructure, and organizational structure remain largely unconfirmed by major cybersecurity firms or law enforcement agencies. The group appears to maintain active operations as of late 2025, though comprehensive analysis of their tactics, techniques, and procedures awaits further investigation and reporting by established threat intelligence organizations.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

coinbasecartel

aka coinbase cartel · 176 victims indexed · first seen 8 months ago · last activity 5 days ago

176

Victims indexed

#49 of 348 tracked operators

Active period

Sep 2025 → May 2026

Countries hit

top US · 28

At a glance

Status: active
Aliases: coinbase cartel
First seen: 8 months ago
Last activity: 5 days ago
Onion sites: 1 known endpoint
Primary sector: Technology · 29 hits

About

CoinbaseCartel is a ransomware group that emerged in September 2025 with financially motivated operations targeting organizations across multiple sectors and geographic regions. The group has demonstrated significant activity in a short timeframe, compromising at least 102 known victims primarily across the United States, United Arab Emirates, Germany, Canada, and Brazil. Their targeting patterns show a preference for technology companies, financial services organizations, manufacturing entities, and consumer services businesses, suggesting an opportunistic approach focused on organizations likely to have both valuable data and the financial resources to pay ransoms. Given the group's recent emergence and limited public documentation from established threat intelligence sources, details regarding their specific attack methodologies, infrastructure, and organizational structure remain largely unconfirmed by major cybersecurity firms or law enforcement agencies. The group appears to maintain active operations as of late 2025, though comprehensive analysis of their tactics, techniques, and procedures awaits further investigation and reporting by established threat intelligence organizations.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/coinbase cartel

Timeline

7 months

2025-09-01T00:00:00+00:002026-03-01T00:00:00+00:00

Top countries

🇺🇸 US

🇦🇪 AE

🇩🇪 DE

🇨🇦 CA

🇫🇷 FR

🇧🇷 BR

🇰🇷 KR

🇮🇹 IT

US dossier →AE dossier →DE dossier →CA dossier →

Top sectors

Technology

Not Found

Financial Services

Manufacturing

Consumer Services

Transportation/Logistics

Business Services

Energy

Technology dossier →Not Found dossier →Financial Services dossier →Manufacturing dossier →

MITRE ATT&CK

4 techniques · 4 tactics

Tactics

Initial AccessExecutionDefense EvasionImpact

Techniques

T1566Phishing
T1059Command and Scripting Interpreter
T1027Obfuscated Files or Information
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

1 known

http://fjg4zi4opkxkvdz7mvwp7h6goe4tcby3hhkrz43pht4j3vakhy75znyd.onion

Source

Updated 5 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.